topic Deny TCP (no connection) RST then SYN ACK in Network Security

Deny TCP (no connection) RST then SYN ACK

tryingtofixit — Fri, 19 Jul 2024 17:33:11 GMT

ASA 5525x with 9.x code

working with an IPsec tunnel a Fortinet is on the other side of the ipsec tunnel.

My server on 10.220.2.16 enters the asa INSIDE interface bound down the ipsec tunnel to 10.12.32.4

In the asa logs my 10.220.2.16 >10.12.32.4 getting FLAG RST on interface INSIDE followed by a SYN ACK.

We don't have any asymmetrical routing no dup routes pushing traffic in core switch to different endpoints. our crypto-maps have the correct interesting traffic defined along with the proper NATS.

We use static routes on the core to force our tunnel traffic to the ASA. No dup routes or more specific routes pointing subnet elsewhere.

The packet tracer gives 100% flow from start to finish.

Suggestions?

Re: Deny TCP (no connection) RST then SYN ACK

MHM Cisco World — Fri, 19 Jul 2024 18:07:32 GMT

""logging permit-hostdown""

this I think because you use tcp syslog server
when the syslog not reachable the asa reject add new tcp conn

add command above and check

MHM

Re: Deny TCP (no connection) RST then SYN ACK

tryingtofixit — Fri, 19 Jul 2024 19:40:17 GMT

thanks! we have a troubleshooting window on monday.

Re: Deny TCP (no connection) RST then SYN ACK

ccieexpert — Fri, 19 Jul 2024 19:46:20 GMT

Run packet capture with "trace detail" option:

https://community.cisco.com/t5/security-knowledge-base/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889

this will give you more detail on what is going..

is it happening each time ? does pings work ?

Re: Deny TCP (no connection) RST then SYN ACK

tryingtofixit — Fri, 19 Jul 2024 19:53:24 GMT

just had a chance to check, we the logging permit-hostdown in our asa.

Re: Deny TCP (no connection) RST then SYN ACK

Sheraz.Salim — Sat, 20 Jul 2024 09:15:09 GMT

I have seen this issue in the past vpn-tunnel with AWS. In our case remote server and local server had some connectivity issue. The workaround work for us we have to implement TCP state bypass. Try enabling TCP state bypass for the specific traffic. This can help if the issue is related to TCP state tracking

access-list bypass_tcp_state extended permit ip host 10.220.2.16 host 10.12.32.4 class-map bypass_tcp_class match access-list bypass_tcp_state policy-map bypass_tcp_policy class bypass_tcp_class set connection advanced-options tcp-state-bypass service-policy bypass_tcp_policy global

Also ensure that the Fortinet device configuration matches the ASA configuration in terms of IPsec settings, NAT exemptions, and access lists. Mismatched configurations can cause issues.

Re: Deny TCP (no connection) RST then SYN ACK

MHM Cisco World — Sat, 20 Jul 2024 11:44:52 GMT

do you use Syslog with TCP or UDP ?

MHM

Re: Deny TCP (no connection) RST then SYN ACK

tryingtofixit — Wed, 24 Jul 2024 14:11:23 GMT

solution was needed static routes on the asa pointing to the 2nd ISP interface that ran this tunnel. traffic was getting routed out of 1st isp since it was preferred route on the asa.

Re: Deny TCP (no connection) RST then SYN ACK

MHM Cisco World — Wed, 24 Jul 2024 14:17:13 GMT

Thanks alot for update us

Have a nice summer

MHM

Re: Deny TCP (no connection) RST then SYN ACK

Sheraz.Salim — Wed, 24 Jul 2024 14:18:39 GMT

wow good catch. was not excepted to be that issue. thanks for the update.

Re: Deny TCP (no connection) RST then SYN ACK

ccieexpert — Wed, 24 Jul 2024 14:28:35 GMT

good catch.. usually the capture with trace detail should show you the path and give you some idea of why it is dropping a packet..